We have had a BT engineer visit recently, trying to solve a problem with our IP phone system.

One point they made was that we had four DHCP servers running on the network. I have disabled two of them (one of them should be running) and tested everything is working as it should. However, the fourth DHCP server eludes me!

The device has an IP address of 192.168.1.59, I can successfully ping the IP address.

3 Answers
3

nmap is great for this. Besides letting you know which ports the server is listening on (which is often enough to identify its operating system) it can also do OS fingerprinting which is usually quite good. The OS fingerprinting can often even identify printer models.

You can check your arp tables for the MAC address, which on UNIX is done with

arp -a -n | grep 192.168.1.59

I presume Windows has an analogue.

You can then cross-reference the first three octets of the MAC address with a vendor identification lookup, of which there are many on the web. One such is here (I know nothing about it, it just came up first in a google search). That should tell you who made the piece of equipment, which often helps in identifying it.

If you have manageable switches, you can also cross-reference that mac address with the spanning tree on the switch, which will tell you which switch port that MAC address appears on, which often identifies the individual cable that has the thing on the other end. How to talk to your managed switch depends on who made it, and is beyond the scope of a simple SF answer. This is the fastest method of finding a box in these cases, but it does require some network smarts and manageable switches.

Failing all that, you can try telneting to well-known ports; I often try 139 (getting a connection means it's either a Windows box or it's a unix box running SaMBa), 22 (the ssh banner can give hints as to the manufacturer) and 80 (if there's a web server running, typing GET /<CR><CR> often returns useful error text.